How to Configure Network Access Protection (NAP) in Server 2012 R2?

The step by step guide to configure Network Access Protection (NAP), in Windows Server 2012 R2.. The NAP is a Microsoft technology for controlling network access of a computer, based on its health. With NAP, system administrators of an organization can define policies for system health requirements. For instance System health requirements are whether the computer has the most recent operating system updates installed. The computer host based firewall is installed and enabled etc.

The NAP is completely removed from Windows server 2016. It will be replace with Direct Access and new network policy feature Web Application Proxy. Also the DHCP servers are no longer capable of enforcing NAP policies.

Network Policy Server in Windows Server 2016

The above screenshot is Network Policy Server in Windows Server 2016 without Network Access Protection. It shows that you must get ready to migrate from NAP to DirectAccess and Windows Web Application Proxy in Server 2016. I didn’t want to write this article, so it must be written for new admins in Windows Server 2008 and 2012 R2.

Configure Network Access Protection

This post is going to configure network access protection. If you don’t know the installation, read the below article about installation of NAP in Windows server 2012 R2.

  1. To configure network access protection, open network policy server from server manager.
  2. On the network policy server page, from right side select NPS (Local) then select Network Access Protection (NAP) from Standard Configuration section and click Configure NAP link.
Configure Network Access Protection in Windows Server 2012 R2

3. On the network connection method for use with NAP page, select Dynamic Host Configuration Protocol (DHCP) from Network connection method section then click Next.

Dynamic Host Configuration Protocol (DHCP) with Network Access Proteciotn

4. On the Specify NAP Enforcement Server Running DHCP Server page, just click Next. Then click Next on the Specify DHCP Scopes page. Do click Next on Configure Machine Group also.

5. On the Specify a NAP Remediation Server Group and URL click New Group and type a meaningful name for Group Name. Then click Add to specify a name for Freindly name and name or IP address of Remediation server.  When complete, click OK to close the pages.

NAP Remediation Server Group

6. Now type the help page url address on Troubleshooting URL and click Next.

Specify a NAP Remediation Server Group and URL

The Remediation Server Groups are the servers that will be made accessible to non-compliant clients. These servers can be used to patch clients to a compliant status.

7. Click Next on Define NAP Health Policy page.

Define NAP Health Policy

8. Finally click Finish to complete the NAP enforcement policy and RADIUS client configuration.

Completing NAP Enforcement Policy and RADIUS Client Configuration

9. Navigate to Network Policies and Health Polices to check whether the polices are ready for serving NAP.

Network Policies and Health Policies

So, everything good.

Configure Group Policy and Services for NAP

After installing and configuration of NAP, you should enable DHCP Client enforcement from group policy management.

  1. Type “gpmc.msc” on the run and press enter to open Group Policy Management.
  2. Expand Forest, Domain, and domain name. Then create a new group policy object, and named NAP enforcement.
  3. Now right click on the new created GPO and click Edit to edit it.
  4. Navigate to NAP Client Configuration and select Enforcement Clients. Finally right click DHCP Quarantine Enforcement Client and enable it.  Do it like below screenshot.
Configure Group Policy for Network Access Protection

5. Navigate to System Services and find Network Access Protection Agent then enable it.

Enable Network Access Protection Agent Service

6. Go to DHCP, right click IPv4 then select Properties. Now on the Network Access Protection tab, click Enable on all scopes.

Enable and Configure Network Access Protection on DHCP

That’s all, but don’t forget to configure the Windows Security Health Validator for clients. The default policy is require the Firewall and Auto Update should be enabled, Anti Virus, Spyware Protection must be installed on the client systems.

Windows Security Health Validator

OK, hope you find this article helpful. Any question? Ask through comment sections. So have a nice and great time as system admin.

DHCPHow toNAPWindows Server 2012 R2
Comments (9)
Add Comment
  • Bismillah

    Salam ustad……….
    How to add computer (client) to domain Using Cmd?
    I Typted : Add-computer -domainname perfect.local -credential Ali@perfect.local -passthru

    But could not perform, please tell me the solution….
    Thanks.

  • Bismillah

    Thank u ustad, found the defect.

    • Shais

      Your welcome dear Bismillah,
      What defect do you mean? Is there any problem with your lab?

  • Karar

    Thanks for sharing it, that’s what I am working on it.

    • Shais

      Well done, It’s my pleasure to help you to improve you networking skill.

  • Faiz Orz

    Thanks, dear admin. it was my need that I found.
    Is it work with Windows server 2016 also or not ?

  • Jiji Mathew

    Nice explanation with clear steps. Thank you.

  • Daniel MBA

    Well structured and very helpful. Splendid effort.